The revised draft Cyber Security Law released by the Ministry of Transport and Communications (MOTC) on 13 January 2022 (“Draft Law 2.0”) sets out certain requirements on a digital platform service provider (DPSP). Failure to comply with the requirements could result in a fine, suspension of the relevant digital platform service (DPS) or revocation of any existing license held by the DPSP. Additionally, the MOTC may act in the public interest and shut down any DPS in Myanmar. These provisions under the Draft Law 2.0, if enacted, may have a material impact on international digital platform operators with a substantial user base in Myanmar.
Under the state of emergency, new regulations can be issued by the current administration within a short timeframe without a parliamentary review process. It is important for businesses which are providing a DPS, whether based in or outside of Myanmar, to monitor developments in respect of the Draft Law 2.0 and assess how such changes could impact their existing operations and local user base. Additionally, businesses should also look out for any subsequent release of guidelines that may provide details for the application of licenses from the MOTC.
Classification of a DPSP under the Draft Law 2.0
- Under the Draft Law 2.0, a DPSP means any individual or entity providing DPS in Myanmar. DPS covers any over-the-top (known as OTT) service providing data, information, image, voice, text and video etc. by using cyber source and similar system or materials. It is likely that social media platforms and instant messaging services would be classified as a DPS.
- Any person who intends to provide a DPS in Myanmar must apply for a license with the Information Technology and Cyber Security Department (ITCSD), a department under the purview of the MOTC, No specific guidelines have been provided for the application process.
Obligations of the DPSP
- A DPSP is required to retain user data for three years from the commencement of services to the user. Such data must be handed over to the relevant authorities upon request. The DPSP is also required to prevent, remove, destroy or suspend certain information on its platform upon notification from the ITCSD.
- Further, a DPSP with more than 100,000 users in Myanmar would need to comply with additional obligations such as the following:
(a) maintaining the storage device holding user data in accordance with regulations (it is noteworthy that no relevant regulations have been issued and it is unclear whether there will be data localization requirements)
(b) registering as an entity under the Myanmar Companies Law
(c) paying its tax obligations under applicable laws
Wide powers of the relevant authorities under the Draft Law 2.0
- In the event of a failure to comply with the above mentioned requirements, a DPSP found guilty of the offence could be punishable by imprisonment for a minimum of one year up to a maximum of three years or with a fine not exceeding MMK 10 million (approximately USD 5,000) or both. There are no separate provisions for offences committed by corporations.
- The ITCSD could take enforcement action against an offending DPSP by imposing a fine, suspending the relevant DPS or revoking any previously granted licenses.
- Separately (and without the need for any antecedent breach of the Draft Law 2.0 by the DPSP), the MOTC may act in the public interest by temporarily/permanently shutting down the DPS and/or temporarily taking control of the devices used in relation to the DPS.
Conclusion
These provisions under the Draft Law 2.0 would likely affect DPSPs under two different categories. First, with regard to any DPSP with an existing corporate presence in Myanmar, the DPSP would fall within the ambit of the regulators once the Draft Law 2.0 comes into force and be exposed to any direct enforcement proceedings taken domestically. Secondly, with regard to any DPSP which is based outside of Myanmar and has no registered domestic presence, while the Draft Law 2.0 has no extraterritorial jurisdiction over the DPSPs in this category, the authorities may still act to shut down the relevant DPS and prevent these services from being offered to users in Myanmar. This could pose a significant impact on the DPSP’s revenue streams from the country.
